On Mon, Aug 1, 2011 at 12:15 PM, Rob Weir <[email protected]> wrote:
> On Mon, Aug 1, 2011 at 2:59 PM, Simon Phipps <[email protected]> wrote: > > One observation about this discussion: Until there is actually a way to > > make a binary deliverable from AOOo, any inbound security alerts would > > probably need to be referred to LibreOffice anyway. While the Apache-only > > list that's being speculatively designed here might be applicable once > the > > project is creating deliverables, but until then a pragmatic approach of > a > > temporary and inclusive list seems hugely preferable. > > > > It is possible that some reports would be shared. It is also possible > that some would not. For example, a report might be a duplicate. It > might be wrong. It might be spam. It might require a followup to > clarify. It might involve code that doesn't exist in LibreOffice. The > discretion with the PPMC and their delegates. > > The Apache Security page makes it clear to reporters that they are > reporting a vulnerability to Apache where it will be discussed > privately by the project team. They are not told that their report, > with their name, company affiliation and other contact info, will be > shared more broadly than that. So even in instances where we did > share information, such as with a 3rd party expert or via a > pre-notification, that initial report would only be shared in > anonymized form. > I don't think I understand how your response, which refers to the functioning of a future list once AOOo has an operational development process, applies to my comment, which refers to the situation now when any incoming security issue would probably be triaged by fixing & recommending use of LibreOffice. S.
